Category: Technology

2015 has been a big year for Telerivet. We launched many new features and improvements this year, making Telerivet an even more powerful platform for mobile messaging. In case you missed it, here are a few of the biggest new features:

New Data Visualizations

Using SMS polls to collect data? Telerivet now lets you visualize the top survey responses as a pie chart, bar graph, or table. When viewing the data table of poll responses, just click the “Stats” tab.

Featured User: Femina Hip

Femina Hip is a multimedia platform and civil society initiative working with youth across Tanzania. Since 1999, their aim has been to promote healthy lifestyles, sexual health, gender equality, entrepreneurship, and financial literacy.

In order to reinforce their message via SMS, Femina Hip uses Telerivet for several different activities:

Providing advice via an SMS hotline

Femina Hip created an SMS counseling hotline after realizing that many Tanzanian youth are more comfortable asking sensitive questions via SMS compared to other communication channels. With this SMS hotline, Tanzanian youth can send in their questions relating to sexual and reproductive health, economic empowerment, and citizen engagement. A member of Femina's outreach team receives the question via Telerivet, and sends a personalized response. In each issue of Fema Magazine, Femina's team publishes some of the SMS questions in the column "Mpendwa Anti" (Dear Auntie).

Live audience interaction

Femina Hip's television and radio shows now have an audience interaction component to them that is run through an SMS system. During each episode a "question of the week" is asked, and audience members are asked to send an SMS answer.

Pushing out information to communities

Femina Hip uses Telerivet to periodically send out information to their audience, especially to inform them about new upcoming media products, such as new seasons of their television and radio shows.

Telerivet is thrilled to announce our new strategic partnership with Nexmo.

Nexmo is an industry-leading cloud communications company that provides APIs for sending and receiving SMS text messages worldwide.

The new partnership offers a deeper integration between Telerivet and Nexmo's global SMS services, making it even easier for businesses and organizations to get mobile messaging solutions up and running with Telerivet.

In over 35 countries where Nexmo offers SMS-capable virtual numbers (see complete list), Telerivet now provides Nexmo as the preferred method of sending and receiving SMS via the Telerivet platform. By using Nexmo virtual numbers with Telerivet, businesses and organizations can get excellent SMS deliverability at affordable rates, including free incoming SMS messages.

For Telerivet customers using other methods to send and receive messages, don’t worry. You can still run your services on your preferred gateway — including Telerivet's Android gateway, your shortcode provider, or another 3rd party virtual number provider. Telerivet’s platform will continue to work the same way for you and offer all the same features as before.

In particular, for customers who currently use an Android device with Telerivet in a country with Nexmo virtual numbers, switching to a Nexmo virtual number can drastically simplify Telerivet, since it would no longer be necessary to maintain an Android device to send and receive SMS.

We’re particularly excited because Telerivet is the first such partner for Nexmo. Before Telerivet, only organizations with developers and technical expertise were able to use Nexmo’s APIs directly. Now, companies and non-profit organizations with limited developer resources can benefit from Nexmo as well.

Nexmo announced the partnership in a press release this morning. "Nexmo is very excited to be working with Telerivet. The partnership between a global messaging provider and a service-builder platform has never been so seamless for end users,” said Sassan Saedi, Nexmo’s Head of Product Marketing and Channels. “This is the first partnership in the market to leverage reliable, global SMS deliverability and optimal usability to finally make mobile messaging technology accessible to the 'long-tail' of organizations."

The “long-tail” of organizations that could benefit from from using Nexmo with Telerivet include:

Online merchants sending order status notifications and providing customer service

Today, massive excitement is building around universal, open Internet connectivity. With the establishment of high-profile global projects like Facebook’s Internet.org, incalculable social and economic gains seem just at the horizon. For developers, too, that means the rapid multiplication of new opportunities for the deployment of the best tools for driving innovation and connectivity all over the planet. But the Internet isn’t the only technology driving innovation and connectivity, especially when it comes to mobile.

A recent count put the number of mobile devices in the world at 7 billion—which is to say that the Age of the Internet is now also the Age of Mobile. SMS works on essentially all 7 billion of these devices, from smartphones to the ubiquitous feature phones of the developing world. Simply put, SMS texting is still the single most common use of all mobile devices anywhere—and use cases for SMS continue to multiply.

One could say that SMS works so well it has become almost invisible. Even while Internet access and smartphones continue to spread, and as Internet-based messaging apps like WhatsApp proliferate, SMS is still changing the way we communicate, travel, organize our lives, and run our businesses. It has played a quiet, crucial role in some of the most disruptive endeavors of the last few years: Twitter’s system of 140-character status updates was born out of SMS. Urban transportation startup Uber has SMS functionality baked into its smartphone applications, as do more and more popular smartphone apps ranging from food apps like Sprig to dating apps like CoffeeMeetsBagel.

A 2013 study by Forrester of 167 mobile-channel businesses found that 70% are already using SMS notifications, with another 16% planning to use SMS notifications in the next year. Similarly, 46% of businesses in the study already use two-way SMS, with another 18% planning to add two-way SMS in the next year.

Why is SMS still becoming more popular for businesses despite the continuing spread of internet access and smartphones?

As Steve French explains in a post on Wired.com, many companies that joined the smartphone app frenzy in the past few years are realizing that their new mobile app isn’t getting enough usage to justify the resources needed to build and maintain it. As a result, companies are now moving resources back to SMS—which is ubiquitous, interoperable, easy to use, affordable, and immediate. SMS also results in results in better customer engagement. Text messages have the highest open rate of any digital communication medium at 97%, compared to only 20-25% for email.

In the developing world, SMS is also continuing to spur innovation—not least because it can go places the Internet can’t. SMS-capable feature phones are perfect for regions without reliable electricity or the bandwidth to support a data-hungry smartphone. Because smartphones and laptops don’t yet dominate the technology landscape in developing countries, SMS solutions have jumped further forward than they might have in countries with fully developed Internet infrastructure.

But even as smartphones and internet access spreads around the world and as new communication apps like WhatsApp, Facebook Messenger, and WeChat proliferate, those apps will only ever reach a fraction of mobile users. It’s likely that no single messaging app will win the market globally. As a result, SMS will remain the most ubiquitous technology that organizations and businesses can use to communicate with anyone.

SMS will play a crucial role in connecting us, fostering economic growth and our efforts to strengthen education, human rights, and global health. In conjunction with the Internet, it will continue to structure the life and work of people around the world. The best days of SMS are still ahead.

Like many online services, we at Telerivet spent much of last week responding to the OpenSSL Heartbleed vulnerability (see our post-mortem here).

While the lessons of Heartbleed are still fresh in our minds, now is the time for the software community to consider how we can improve our collective security and prepare for the next zero-day vulnerability. Whether the next vulnerability is in an open-source library, operating system, firmware, one’s own software, or a third-party service, many of the same lessons apply.

Our top 4 recommendations for online services to limit the fallout from the next vulnerability like Heartbleed:

1. Improve your SSL configuration

Heartbleed is the perfect advertisement for Perfect Forward Secrecy. Thousands of web services all realized this week that their SSL private keys may have been compromised. Those without PFS enabled also realized that someone who had been recording encrypted sessions could have used their private keys to decrypt up to two years worth of previous traffic to their servers.

But don’t just stop at enabling PFS — why not take this opportunity to enable HSTS in order to prevent against SSL stripping too?

SSL configuration is hard to get right. Qualys SSL Labs makes it easy to test your server’s SSL setup and make sure it’s both secure and compatible with all the browsers out there. Try running their SSL server test on your own server, and follow their suggestions to improve your SSL config until you get an A or A+.

2. Subscribe to security announcement lists

Many of us were lucky to learn about Heartbleed very quickly on Monday when it quickly reached #1 on Hacker News. But system administrators shouldn’t rely on visiting the right website at the right time in order to react quickly to major vulnerabilities.

Fortunately, most major projects have an email list to alert users of security vulnerabilities.

Since it can be impractical to subscribe to announcement lists for every library and software package you depend on (like openssl-announce, where Heartbleed was first publicly announced), joining the security announcement list for your server operating system would be good enough for almost everyone. Here are a few:

When the next big zero-day vulnerability happens, don’t leave it up to chance whether you find out about it immediately or after it's already too late.

3. Limit your exposure when using third-party services

Many online services use various third-party services for functionality like customer support, CRM, analytics, payments, and ads that they rely on to safeguard private data about their customers. Many of these services are integrated via JavaScript snippets within a web app, while others are integrated on the server side.

Vulnerabilities in any of these third-party services could compromise customer data just as easily as vulnerabilities in the main service itself. Yet most services’ Heartbleed post-mortems haven't discussed the risk of vulnerabilities in the third party services they use.

Commonly used services like Google Analytics, Mixpanel, KISSmetrics, Optimizely, Intercom, Stripe, and others would likely be a highly attractive target during a vulnerability like Heartbleed — either for intercepting information of millions of end users, or (worse) MITMing these services and injecting JavaScript code into the websites that use them.

In the case of Heartbleed, all of the services above were affected for at least some time before being patched. It’s hard to say with certainty that nobody used Heartbleed to extract user data from any of these services. And now that we know for sure that attackers can use Heartbleed to steal SSL private keys, it’s hard to say that nobody MITMed them either, though that would be more difficult to do on a large scale.

When assessing the security of your own application, keep in mind that your security is essentially no better than the least secure service whose JavaScript you embed on your site. Each third-party JavaScript you add increases the risk that a vulnerability in a system you have no control over could destroy the foundation of your web app’s security.

I say this as a former JavaScript embed developer myself. In a previous role, it would have been technically possible for me, acting entirely on my own, to inject arbitrary JavaScript code into thousands of websites. Today, thousands of engineers and system administrators have similar or greater abilities. In addition, the ability to inject arbitrary code is now a feature of A/B testing services such as Optimizely. In this case, your web app’s overall security is no stronger than the least secure Optimizely login password of any of your employees.

To prepare for the next zero-day vulnerability, online services should evaluate and limit their exposure to third-party services, especially services embedded via JavaScript. Self-hosting JavaScript files, when possible, can often limit the potential of compromised third-party services to inject malicious JavaScript code into your own website.

In addition, online services can prepare themselves by making it easy to immediately disable third-party JavaScripts that are vulnerable or not known to be safe when a vulnerability is announced.

Likewise, services that provide JavaScript snippets should prepare a way to disable their own service if they know that they are exploitable but are unable to patch themselves (as happened this week when everyone was waiting on Amazon to update their ELBs).

4. Design your systems with defense in depth

The Heartbleed vulnerability was surprising in some ways — how was such a critical part of the world’s security infrastructure broken for so long with so little review? But it isn’t as surprising as one might think. There is an unmeasurably massive amount of code in the wild that almost everyone online relies on every day. And in any of those obscure lines of code there might be one simple programming mistake that was overlooked in code review, missed by a static analyzer, and deployed into production. It has happened before and it will surely happen again.

As a developer, this means that it’s necessary to design your systems with multiple levels of security to mitigate the damage if one part of your system’s security fails, whether because of a vulnerability in your own code or someone else’s code.

In the case of Heartbleed, helpful mitigation methods would have included:

In general, imagine that an attacker was able to get through one level of your security, and think about how you can still prevent them from doing something even worse.

For example, imagine that an attacker somehow gained read-access to your database through a SQL injection vulnerability, or somehow gained access to your database backups. Then it would help if sensitive fields in your database were encrypted with a key stored outside the database.

Or imagine one of your employees’ laptops was stolen. It’d help if any customer data or secret keys on it were encrypted in a TrueCrypt volume.

Or imagine that an attacker already had root access to one of your database servers. Then you're in big trouble, but it would still help if you used Tarsnap with a write-only key so that they couldn’t just delete all your data along with all your backups.

And although “security by obscurity” is a bad foundation for a cryptosystem, obscurity is a perfectly valid additional layer of “swiss cheese” in a security system. Simply making things harder to find — like choosing a non-default port for your SSH servers — can at least buy you valuable time when the next zero-day is being exploited.

Since it is inevitable that another “Heartbleed” will happen again, defense in depth is the best way to make sure your users stay as protected as possible.

The two most secure types of software are the software that never ships and the software that does nothing at all. Unfortunately, neither type is very useful to anyone. In practice, we all have to make tradeoffs between competing priorities like shipping, adding features, and improving security. While the lessons of Heartbleed are still fresh, let’s all at least take a moment to make sure we’re well prepared for the next big zero-day vulnerability.

What do you think the software community should do to prepare for the next Heartbleed?

Last Thursday’s Meltwater Entrepreneurial School of Technology (MEST) panel event, part of their The Next Frontier event series, brought out expert panelists from large tech companies: Google, IBM, and Microsoft. All three of these companies have a presence in Africa (indeed, around the world) and are actively developing strategies for offering their products and services in African countries and other developing nations. The panelists, top executives who specialize on African growth opportunities and Africa’ technology and innovation challenges, were asked “What Is Your Africa Strategy?”

That complicated question—which seeks to better understand exactly how they and their partners anticipate offering products and services to the more than 1 billion citizens of Africa—prompted interesting answers that highlighted why Africa is prime for growth, innovation, and success.

Africa’s massive economic growth, large working-age population, rapid urbanization and acceleration toward mobility and connectivity, are arguably all important factors for determining a strategy for success in African markets. Given these factors, the panelists shared their insight and unique perspective on how they’re approaching Africa:

Wendy Lung, of IBM’s Venture Capital Group, discussed the vast opportunity in Africa. She noted how the prevalence of mobile phones throughout the continent is an indication of how Africa has been able to leapfrog from PCs to mobile devices in a non-linear way. She also discussed the growing need for local entrepreneurs to build local solutions, and how her team is focused on skill building in the local startup community.

Ivan Lumala, CTO for Microsoft’s 4Afrika initiative, shares Lung’s view on the importance of African entrepreneurs building local solutions for their communities and regions. For companies like IBM and Microsoft, one particular strategy is not only get Africans to “consume technology, but to also build relevant solutions.” Lumala said that Microsoft’s initiative focuses on enabling “Africa to be competitive, because it can be.”

Kendra Commander of Google agrees that there are great business opportunities for Africa as it becomes more fertile for technological growth and innovation. Google’s strategy focuses on connecting more Africans to the internet. Commander also discussed how Africa serves as a great model for emerging markets to test solutions: if critical issues can be solved in African nations (such as reliable connectivity), it can be replicated in other emerging markets.

Africa is a hotbed for opportunity and innovation and it’s no longer a question of whether the tech space in Africa is significant—few deny the magnitude—but how we best develop, tap, and nurture the space.

What was perhaps most important, revealing, and inspiring theme of the conversation was the universal recognition of Africa’s capacity for local entrepreneurship and innovation. The road to realization of the Africa opportunity is to enable local businesses and organizations to thrive on their own terms.